topic Re: multiple/same networks in different VLANs in General Topics

multiple/same networks in different VLANs

MEckardt — Mon, 03 Apr 2023 06:11:09 GMT

Hey,

i dont know how to handle this scenario (or where my setup/my thinking is wrong...):

We have several VLAN's (901-920) and in every VLAN we have the SAME Network-Adresses (Customer-Machines/SPS 172.0.0.0/16).

My Plan was to add a Gateway for every single VLAN and than NAT/Routing. At this Time our Devs can only connect "directly"

eg:

GW 2 192.168.70.6/30 - VLAN 902 - NAT Rule 902 (from 70.6 to 172.27.250.250/16)

GW 3 192.168.70.10/30 - VLAN 903 - NAT Rule 903 (from 70.10 to 172.27.250.250/16)

GW 4 192.168.70.14/30 - VLAN 904 - NAT Rule 904 (from 70.14 to 172.27.250.250/16)

...

can you give me some hints for getting this setup work or isnt that possible ?

I would like for the devs to move away from "I connect directly to the vlan with a 172 address" and towards routing via paloalto...

ty for tips !!

Re: multiple/same networks in different VLANs

seb_rupik — Mon, 03 Apr 2023 08:50:26 GMT

Hi there,

All of VLANs share the same /16 IP address space, but you have configured the VLAN interface as a /30. The interface will not ARP for addresses outside of its /30 . Does this setup actually work on a per-VLAN basis??

Upon reading the question I was going to point out that you can't create multiple VLAN interfaces which exist within the same /16 subnet. You could share the same /16 allocation and carve it (multiple /21's) up between the interfaces, but this would require the connected hosts to have their netmasks and gateway address configured. But would allow the host to share the same classful /16 address.

The only other solution is to use multiple virtual routers (VRs), as this will allow you to have identical IP interfaces on the device. You would need to configure unique loopback interface within each VR and advertise that /32 address between the VRs. Then configure source NAT for the /16 hiding it behind the local /32. The only problem with this solution is the platform limitation for the number of configurable VRs

cheers,

Seb.

Re: multiple/same networks in different VLANs

MEckardt — Mon, 03 Apr 2023 09:22:52 GMT

Hi,

Does this setup actually work on a per-VLAN basis??

nope, my setup doesnt work... i tried many options, nothing worked.

my goal: devs enters a specific route (route add 172.0.0.0/16 GW 192.168.70.6 for VLAN 902). after deleting this route on the client he should be able to enter a new route for vlan 906 eg with GW 70.22.

setup with VR's: when im right the 3220 can handle "only" 10 VR, so this doesnt work for us...

Re: multiple/same networks in different VLANs

seb_rupik — Mon, 03 Apr 2023 10:16:49 GMT

Hi there,

For that desired setup to work, each IP interface must have a /16 netmask, but that is not possible when they share the same routing table.

Also, how would a local host simultaneously communicate with hosts on-link and in another VLAN which shares the same /16 subnet. The best you could hope for is to configure a 1:1 static NAT where let say:

VLAN901 172.27.0.0/16 is NAT'd using a source pool of 172.60.0.0/16

VLAN901 172.27.0.0/16 is NAT'd using a source pool of 172.61.0.0/16

..etc...

You would then advertise the NAT pools between the VRs, but again as you point out, you only have 10 VRs to use. Can you get hold of another PA and perhaps route these NAT pools between them?

cheers,

Seb.

Re: multiple/same networks in different VLANs

MEckardt — Mon, 03 Apr 2023 10:58:36 GMT

Thanks for trying to help, it seems with my current setup/hardware its not possible.. and no, i dont have another PA, i might be cheaper and perhaps easier when we install a static hardware device (little Cisco 8Port Managed Switch) with NAT/routing in each VLAN (different WAN-IPs to internal network), hope this could do the job too...

Ty Seb !